Bug 74902 - The kernel symbol "sys_call_table" omitted from ksyms
The kernel symbol "sys_call_table" omitted from ksyms
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Arjan van de Ven
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2002-10-02 14:30 EDT by Shanan Levin
Modified: 2007-04-18 12:47 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-10-02 23:04:12 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Shanan Levin 2002-10-02 14:30:21 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; T312461; 
Q312461; .NET CLR 1.0.3705)

Description of problem:
the kernel symbol sys_call_table is omitted from ksyms. I have found no other 
bug report or explaination of why this deviation from kernel.org source has 
occured.  This interface is needed by products that use certain loadable 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
just look at the kernel symbol table and you will see that the 
symbol "sys_call_table" is missing.

Additional info:
Comment 1 Arjan van de Ven 2002-10-02 14:34:24 EDT
kernel modules never have been allowed to modify system calls, so they only can
call system calls this way. (yes I know some rootkits did it anyway)
And for calling system calls: all system calls are exported functions to
modules, so this cannot be a problem..
Comment 2 Need Real Name 2002-10-02 15:55:55 EDT
That is not true. They are allowed to - in the current kernel.org
tree as well as in previous (7.x) RH kernel lines.
This breaks LiS, for example, which exports STREAMS msging calls. 
See http://www.gcom.com/home/linux/lis/index.html

So, this is a deviation from stock kernel source, both present and 
future.  Red Hat should fix this with a patch release immediately.
Comment 3 Need Real Name 2002-10-02 16:08:45 EDT
Unless this is fixed, we have little choice but to announce to our users that
Red Hat 8.0 has broken kernels and will not support LiS STREAMS.  (All other
distributions will support LiS STREAMS except RedHat 8.0.)  We will have little
choice by to exclude Red Hat 8.0 and only Red Had 8.0 from our supported

Please respond immediately as I may be releasing the information concerning Red
Hat's lack of support for LiS STREAMS to our entire user base shortly.
Comment 4 Woody Marvel 2002-10-02 17:07:08 EDT
Oter vendors like Ulticom use LiS in there applications for Telco industry TEMs 
and NEPS. Is RH AS not going to support that industry anymore? Most of 
the "portable" Telco apps on UNIX could port to Linux with LiS, without LiS, 
the impact to the industry would be tragic. Oh well, I guess there is always 
United Linux!!!!
Comment 5 Need Real Name 2002-10-02 17:58:39 EDT
The following two system calls, from line 195 of asm-i386/unistd.h in kernel 
version 2.5.38, are implemented by LiS.  LiS is a loadable module.

#define __NR_getpmsg            188
#define __NR_putpmsg            189

So it is not correct to say that loadable modules do not implement system 
calls.  LiS has been implementing these calls for years.

Also, from line 521 of kernel/ksyms.c in 2.5.38 is the following:


Red Hat needs to bring its kernel DKI into compliance with the standard 
kernels.  The existence of this symbol in the 2.5 source shows that the kernel 
developers intend to keep this symbol visible to modules.

If you want to remove the symbol, then cook up a patch for a registration 
routine and get the kernel developers to put it into the stock kernel.  LiS 
will gladly use it.

David Grothe
LiS developer
Comment 6 Need Real Name 2002-10-02 21:07:43 EDT
This also makes it impossible to use the XTI library with the RH 8.0 kernel,
since this depends on LiS.
XTI is part of XNS, and thus required for Unix98 certification.
With this symbol removed, it will be impossible to get RH 8.0 anywhere near
Unix98 functionality, since several dozen Unix98-required library calls will
not work.

Also, while removing this symbol may may it harder for a rootkit to alter
syscalls, this is no real security enhancement: It is still possible to
find the address of the syscall table. I am not going to tell you how in
public - please ask your kernel security experts about this.
But if you insist on not publishing this symbol, one of the kernel modules
that no longer work might eventually include code to find the call table. If
such a module is open source, the rootkit hackers have been served a workaround
for your "security enhancement".

Best Regards,

Ole Husgaard.
Comment 7 Need Real Name 2002-10-02 23:04:06 EDT
Those two symbols (putmsg and getmsg) are also required by the ABI suite for
iBCS which is a loadable module.  Linux loses its iBCS compatabiility if the
system call table can not be located and writable.

It is trivial for a rootkit to find the system call table.  The exported
sys_close symbol can be used to scan lower memory for the table and index back 6
longs, or, it is possible to scan for the correct pattern of identical
sys_ni_syscall pointers, or even scan for the correct pattern of pointer
offsets.  If security was the purpose, bear in mind that a system which presumes
the stupidity of the crook is never secure--particularly when source code is

Face it: it was a bad idea.

Please re-export the symbol so that legitimate uses of the system call table do
not have to go to these architecture-dependent extents to locate the call table.
Comment 8 Arjan van de Ven 2002-10-03 08:13:08 EDT

how cute

I was willing to work with the LiS people to actually fix LiS to do the right
thing (and to explain why the export is removed) but this is a great way to make
me loose interest.
Comment 9 Need Real Name 2002-10-03 10:06:12 EDT
We have presented a number of reasons for why the removal of sys_call_table is 
both a bad idea and ineffective to its stated purpose.

So why is it that the best that you can come up with is an insult?

If you have an approved method for LiS to hook its system calls while remaining 
a loadable driver, why don't you share the information with us?
Comment 10 Need Real Name 2002-10-03 10:11:13 EDT
I also want to register my objection, and I hope to speak for the entire LiS 
community, to the absolute arrogance on the part of Red Hat to mark the status 
of this report as CLOSED while active dialog is going on.

Just who do you think you are that you can unilaterally make changes to 
standard kernel source in such a manner as to render the kernel non-compliant 
with UNIX98 and break any number of existing drivers?  Whatever happened to the 
concept of the Bazaar?  This is more like the Bizarre.  Or maybe Kafka.
Comment 11 Shanan Levin 2002-10-03 10:12:52 EDT
I understand that this may not be the most interesting topic, and statements 
like "write a flame comment" don't exactly encourage collaboration, but the 
reason so many people are upset is that "we" (LiS, telco developers, and 
others) want our products to run on a stock RedHat Linux distribution, as well 
as other distributions.  We DO NOT want to exclude the stock RedHat 
distribution from our future releases compatibility lists.  I appologize for 
the "flame bugzilla.redhat.com" comment posted and request that at a minimum, 
someone from RedHat please explain the reasoning behind these changes and if 
possible, work with LiS and other developers so that "we" can continue to 
maintain stock RedHat Linux compatibility.  "We" all want this to work, each 
for our own reasons.

I will keep the Bug state as "Closed Won't fix", but make a final request that 
either within this bug's comments or on RedHat's developer network
(http://redhat.com/devnet/), someone within RedHat post more information, 
create a developer discussion forum and work with LiS and any other project 
that runs into these problems introduced by the kernel symbols that have been 
removed/omitted in a stock redhat kernel.

Thank You for your time,
Shanan Levin
Comment 12 John Levon 2002-10-03 20:35:05 EDT
Shanan: I am glad one of you is prepared to apologise for the
appalling childishness displayed by the link Arjan posted.

In your particular circumstance, probably a better solution
is to provide a simple permanent -ENOSYS hook patch to the mainline
kernel. This allows you to provide system calls correctly, without
the horrible ugliness and danger of sys_call_table hacks.

There are already spaces reserved in entry.S for your system calls.

The canonical example: sys_nfsservctl

Arjan: I suggest simply ignoring vassilii@tarunz.org and others
"demanding" things from Red Hat in favour
of people who are prepared to act in an adult manner.
Comment 13 Need Real Name 2002-10-04 02:09:14 EDT

the "mainline" stable kernel exports sys_call_table, so no patch is required
to the official 2.4 kernels

nfsd module can be unloaded with clients present, LiS does not need to
be unloaded so sys_nfsservc is not completely applicable.
Comment 14 Need Real Name 2002-10-04 08:56:13 EDT
There is a second problem with the example of nfsservctl.  As far as I can tell,
this method won't work for LiS.

sys_nfsservctl gets itself into the kernel by having the user configure it in
with menuconfig.  If it isn't desired, sys_nfsservctl is #defined to be
sys_ni_syscall.  NFS doesn't have to put itself into the table defined in
entry.S because it is already there at compile time.

The LiS entry points are not already there at compile time, and I'm under the
impression that they never will be in the official kernel or in any kernels
provided by a vendor.  The LiS entry points are already set to sys_ni_syscall to
return -ENOSYS.

This brings us back to the original problem.  LiS needs to put itself into an
already compiled and running kernel, and the only way to do that is to modify
sys_call_table when it is loaded.

If there is another officially approved way to do this without recompiling the
kernel, then somebody please let us know.

Comment 15 Need Real Name 2002-10-04 10:35:33 EDT
Arjan: I was out yesterday - so let me apologize today 
for any hurt feelings. The message linked to was addressed
to a community of LiS people, and was actually a followup
on a thread. (The thread's idea was to have everybody
whose plans are hurt by this kernel deviation to write
his reasons here so that RH knows. The ones it was addressed
to - i.e. the people from the LiS mail list - took it as
intended by presenting technical reasons against the move.)
I don't mind you guys ignoring me personally, but I don't
see how this has anything to do with complete validity (IMHO)
of the others' technical issues here. Ignore my comments
if you wish, but do answer theirs - please.
Comment 16 Jeff L Smith 2002-10-04 16:50:34 EDT
I also have an interest in seeing this missing symbols fixed in Red Hat 8. We 
develope the Communications Server for Linux here in IBM and have already got 
support for Red Hat 7.2, 7.3 stock and SuSE 8. We do not want to make a 
statement that the Red Hat 8 is not supported. Will this problem also be 
expected in the next Red Hat Advanced server release? We use the LiS Streams 
code as well and we already are having alot of users migrating to Linux. This 
type of problem will not be good Press for any involved. Please keep us 
informed of where to find more discussions on this matter. 
  Thank you.
Comment 17 Rik van Riel 2003-06-19 12:34:01 EDT
The syscall table is no longer visible in the 2.5 kernel either, since there is
no way to safely modify it on an SMP system.

If people want to support the 2.6 kernel, they will have to modify their
software in the exact same way they need to modify it in order to support recent
Red Hat systems based on the 2.4 kernel.

Asking Red Hat to export the syscall table again for 2.4 will not buy you
anything except some extra time, once 2.6 comes out the changes need to be made
Comment 18 Arjan van de Ven 2003-06-19 13:49:35 EDT
will the IBM dude that keeps adding IBM internal things to this bug please stop
doing so.
Comment 19 Need Real Name 2003-06-19 15:07:46 EDT
grep sys_call_table /boot/System.map
Comment 20 Arjan van de Ven 2003-06-19 15:09:33 EDT
thank you for reminding us to remove this as well.
Comment 21 Rik van Riel 2003-06-19 15:21:41 EDT
grep sys_call_table /proc/ksyms
Comment 22 IBM Bug Proxy 2005-07-11 15:08:54 EDT
---- Additional Comments From jefsmith@us.ibm.com  2005-07-11 15:00 EDT -------
Yes, please close this bug. 

Note You need to log in before you can comment on or make changes to this bug.